How to securely use Azure services from an untrusted client?

Question

Let's say I have a simple client Console App that I want to sell to the public. It's going to access an Azure service, let's say Table Storage. How do I secure the keys to Table Storage? It seems like it's impossible to do with just the client app? I hoping there would be a login service that would provide a rolling tamper/anti-forgery key or something like that? Seems like we have a secure Azure service a missing middle part and a client SDKs. Have I missed something?
NB - No I don't want to use Azure AD, at least not for the users, for the App maybe. No I don't want to just use a Shared Key, that really isn't secure.

Answer 1

Hi @Paul Marsh ,

One option to secure the keys and connection strings to your azure services would be to use Azure Key Vault to store it as secrets. You can also store it as keys in the Key Vault if you want encryption.

Then you can maintain the mappings between the service key names and the Key Vault secrets/keys names in Table Storage. You can then have a service in your application that will access the table to get the Key Vault secret names and access the Key Vault to get the secrets during runtime if you have set the required access policies.

Link: https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates.

Hope this helps!

Answer 2

hello,
as an alternative approach you may develop own middleware using Azure functions which will communicate with storage - in this case you won't need to secure connection string. Instead you may configure authentication for Azure functions which support many authentication providers except Azure AD which you don't want to use (MS ID, Facebook, Google, Twitter).